Query Details
AR Cloud Shell Execution
Query
//KQL for Analytics Rule to track Cloud Shell Execution AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | where ActivityStatusValue == "Start" | extend action_ = tostring(parse_json(Authorization).action) | summarize count() by TimeGenerated , ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress
Explanation
This query is used to track the execution of Cloud Shell in Azure. It filters the Azure activity logs to only include activities in resource groups starting with "CLOUD-SHELL" and with an activity status of "Start". It then extracts the action performed from the authorization field and summarizes the count of activities by various attributes such as time generated, resource group, caller, caller IP address, and activity status. Finally, it adds custom entities for the account and IP address of the caller.
Details
Rod Trent
Released: December 3, 2020
Tables
AzureActivity
Keywords
AzureActivity,ResourceGroup,ActivityStatusValue,Authorization,action_,TimeGenerated,Caller,CallerIpAddress,AccountCustomEntity,IPCustomEntity
Operators
| wherestartswith==tostringparse_jsonextendsummarizecount()byextend